Add support for Web Authentication API

[MauricioFauth]

Adds a two factor authentication plugin that supports FIDO2/WebAuthn security keys.

• Related to 2FA U2F FIDO - U2F API deprecating soon  #17229
• Related to Add support for Web Authentication API #17972

This pull request implements a custom WebAuthn server.
The WebAuthn server doesn't support attestation and some checks are still incomplete.
The CBOR decoder is not specification complete.

References:

• https://webauthn.guide/
• https://www.w3.org/TR/webauthn-3/
• https://www.rfc-editor.org/rfc/rfc7049
• https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API

[codecov]

Codecov Report

Base: 47.73% // Head: 46.49% // Decreases project coverage by -1.23% ⚠️

Coverage data is based on head (f143d2a) compared to base (d0fc1da).
Patch coverage: 44.44% of modified lines in pull request are covered.

Additional details and impacted files

@@             Coverage Diff              @@
##             QA_5_2   #17989      +/-   ##
============================================
- Coverage     47.73%   46.49%   -1.24%     
- Complexity    16825    16959     +134     
============================================
  Files           602      607       +5     
  Lines         71576    72313     +737     
============================================
- Hits          34164    33624     -540     
- Misses        37412    38689    +1277     

Flag	Coverage Δ
dbase-extension	47.17% <43.96%> (-0.01%)	⬇️
recode-extension	47.15% <43.96%> (-0.04%)	⬇️
unit-7.2-ubuntu-latest	47.17% <43.96%> (-0.01%)	⬇️
unit-7.3-ubuntu-latest	47.66% <47.03%> (+0.04%)	⬆️
unit-7.4-ubuntu-latest	47.63% <47.03%> (-0.01%)	⬇️
unit-8.0-ubuntu-latest	47.71% <47.03%> (-0.01%)	⬇️
unit-8.1-ubuntu-latest	47.71% <47.03%> (-1.27%)	⬇️
unit-8.2-ubuntu-latest	47.72% <47.03%> (-1.25%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
libraries/classes/Plugins/TwoFactor/Key.php	17.97% <0.00%> (ø)
libraries/classes/WebAuthn/CustomServer.php	0.00% <0.00%> (ø)
libraries/classes/WebAuthn/WebauthnLibServer.php	44.23% <44.23%> (ø)
libraries/classes/WebAuthn/DataStream.php	59.09% <59.09%> (ø)
libraries/classes/WebAuthn/CBORDecoder.php	94.30% <94.30%> (ø)
...asses/Controllers/JavaScriptMessagesController.php	99.63% <100.00%> (+<0.01%)	⬆️
libraries/classes/Plugins/TwoFactor/WebAuthn.php	100.00% <100.00%> (ø)
libraries/classes/TwoFactor.php	77.06% <100.00%> (+0.21%)	⬆️
libraries/classes/Config/Descriptions.php	4.28% <0.00%> (-95.72%)	⬇️
libraries/classes/Template.php	75.00% <0.00%> (-7.70%)	⬇️
... and 4 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[williamdes]

https://github.com/phpmyadmin/phpmyadmin/actions/runs/3797400536/jobs/6458304595#step:11:783

[williamdes]

Can I test it once more ?

[MauricioFauth]

@williamdes Could you test it?

There are some things still missing that can be done in other pull requests:

• The possibility to add more than one key.
• Automatic migration of U2F keys to use the new plugin. For now, users that had register with the old API can use Firefox to login, deactivate the U2F plugin and enable the WebAuthn plugin to use with other browsers.

[williamdes]

Two-factor authentication failed: Expected a different value than "".

With and without HTTPS on http://8.2.local/@phpmyadmin/phpMyAdmin-QA_5_2/index.php?route=/preferences/two-factor

On click on the button below "Please connect your WebAuthn/FIDO2 device. Then confirm registration on the device."

[williamdes]

Same on Firefox

[MauricioFauth]

Same on Firefox

I can't replicate this. Looks like there is something wrong with your JavaScript. Did you compile it and updated the cache?

[williamdes]

Same on Firefox

I can't replicate this. Looks like there is something wrong with your JavaScript. Did you compile it and updated the cache?

Ah, sorry
I forgot to do this
Will test it soon

[williamdes]

This error still exists when you persist on clicking the enable button.
That said the feature works fine, awesome job ! 🎉

I think you can merge this PR after fixing this error so testing can be done on a larger scale

[MauricioFauth]

This error still exists when you persist on clicking the enable button. That said the feature works fine, awesome job ! tada

I think you can merge this PR after fixing this error so testing can be done on a larger scale

I'm not sure why this button is appearing to you, since it's getting hidden with JS, but I fixed the error message anyway.

[williamdes]

I'm not sure why this button is appearing to you, since it's getting hidden with JS, but I fixed the error message anyway.

Now it is fixed (the error) but the button only appears when I am using HTTP now. So I can click it but at least it gives an consistent error each time.

One last thing is to add the optional package to PACKAGE_LIST on create-release.sh and use the check release excludes script but nothing should show up

[williamdes]

The snapshot was re-built right now, thank you for your awesome work on this !

If possible an error should be show on chrome and not nothing when the user tries to login using the old U2F method ?

[MauricioFauth]

The snapshot was re-built right now, thank you for your awesome work on this !

Thank you!

If possible an error should be show on chrome and not nothing when the user tries to login using the old U2F method ?

This will done in another PR.